3

Saw a warning from Google next to my app's name in Developer Console, about unsafe implementation of TrustManager. I went through the code, but there's no single place where TrustManager or checkServerTrusted method is used, so I'm not sure where to handle the exceptions that Google suggests. The only place I can think of it could possibly be, is in the IAB (In-App Billing) related libraries. Any ideas?

Update
While the cause of this error can be different for everyone, in my particular case the issue was with the Flurry analytics library. I had a rather old version of it, and once I removed it the problem was gone.

Levon
  • 1,681
  • 2
  • 18
  • 40
  • Did you get an email? Usually there will be an email telling you which class was flagged. – Antimony Mar 01 '16 at 00:59
  • It is possible that you received this error because you lack the implementation. See [How to fix apps containing an unsafe implementation of TrustManager](https://support.google.com/faqs/answer/6346016?hl=en).It says "While these specific issues may not affect every app with the TrustManager implementation, it’s best not to ignore SSL certificate validation errors. Apps with vulnerabilities that expose users to risk of compromise may be considered dangerous products in violation of the Content Policy and section 4.4 of the Developer Distribution Agreement." – gerardnimo Mar 01 '16 at 01:55
  • @Antimony The email mentions only the obfuscated class name com.b.a.af, unfortunately – Levon Mar 13 '16 at 14:51
  • 2
    @gerardnimo Thanks, I'm aware of the reason -- I'm trying to locate the exact place where the problem is. As I said, I don't use any of TrustManager or SSL, etc., so the only suspicion is either Flurry or IAB libraries – Levon Mar 13 '16 at 14:53
  • Did the library come preobfuscated? If you ran proguard yourself, it should be possible to get the mapping of unobfuscated names. – Antimony Mar 13 '16 at 17:49
  • @Levon, was your file FlurryAgent.jar ? I have similar situation and I'm not sure what is the library that making the problem. – jazzyjester Apr 12 '16 at 09:42
  • @jazzyjester, I believe so, yes. It was a version from a few years back that I never updated as it just worked. I have now dropped Flurry and switched to Google Analytics, as it makes more sense for the project. HTH – Levon Apr 12 '16 at 10:47

1 Answers1

0

Add below code in your activity

public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
                try {
                    chain[0].checkValidity();
                } catch (Exception e) {
                    throw new CertificateException("Certificate not valid or trusted.");
                }
            }
Jatin
  • 1,650
  • 3
  • 17
  • 32